ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

NPM package manager: IllegalStateException: The path to 'package.json' is null in ModuleInfo

Open daniel-kr opened this issue 6 months ago • 4 comments

Describe the bug

When I perform an ORT analysis on our NPM project, I get an error (see below) for some of the package.json files of the project.

The project is setup in a monorepo that consists of a root package.json and additional package.json files of sub-components. The root one specifies the dependencies while the sub-components use peerDependencies to refer to them.

To Reproduce

Steps to reproduce the behavior:

  1. Run ort analyze on the root of our compound repository
  2. See error

Expected behavior

ort analyze succeeds without the mentioned error.

Console / log output

05:55:42.081 [DefaultDispatcher-worker-1] ERROR org.ossreviewtoolkit.analyzer.PackageManager - NPM failed to resolve dependencies for path 'my-project/libs/my-component/package.json': IllegalStateException: The path to 'package.json' is null in ModuleInfo(name=null, version=null, path=null, id=null, dependencyConstraints={}, dependencies={}, optional=false, dev=false, resolved=null).

Environment

We are using the ORT docker image as a base and change the installed node version to 18.19.1 to fit the needs of our project.

Output of the ort requirements command:

NOTE: Picked up JDK_JAVA_OPTIONS: -Xmx5120m
Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 59.3.0,
|    |   | |       _/ |    |    built with JDK 21.0.7+6-LTS, running under Java
|    |   | |    |   \ |    |    Executing ‘requirements’ as ‘ort’ on Linux
\________/ |____|___/ |____|    with 32 CPUs and a maximum of 5120 MiB of memor
Environment variables:
ORT_DATA_DIR = /home/ort/data
ORT_CONFIG_DIR = /home/ort/config
HOME = /home/ort
JAVA_HOME = /opt/java/openjdk
Looking for ORT configuration in the following file:
        /home/ort/config/config.yml (does not exist)
Scanners:
        - Askalono: Requires ‘askalono’ in no specific version. Tool not found.
        - BoyterLc: Requires ‘lc’ in no specific version. Tool not found.
        - Licensee: Requires ‘licensee’ in no specific version. Tool not found.
        + ScanCode: Requires ‘scancode’ in version >=30.0.0. Could not determine the version.
PackageManagers:
        - Bazel: Requires ‘bazel’ in version >=7.0.0. Tool not found.
        + Bower: Requires ‘bower’ in version >=1.8.8. Could not determine the version.
        - Buildozer: Requires ‘buildozer’ in no specific version. Tool not found.
        * Cargo: Requires ‘cargo’ in no specific version. Found version 1.84.0.
        * CocoaPods: Requires ‘pod’ in version >=1.11.0. Found version 1.16.2.
        - Composer: Requires ‘composer’ in version >=1.5.0. Tool not found.
        + Go: Requires ‘go’ in version >=1.21.1. Could not determine the version.
        * Npm: Requires ‘npm’ in version >=6.0.0 and <11.0.0. Found version 10.2.4.
        - NuGetInspector: Requires ‘nuget-inspector’ in no specific version. Tool not found.
        + Pipenv: Requires ‘pipenv’ in version >=2018.10.9. Could not determine the version.
        + Pnpm: Requires ‘pnpm’ in version >=5.0.0 and <10.0.0. Could not determine the version.
        + Poetry: Requires ‘poetry’ in no specific version. Could not determine the version.
        + PythonInspector: Requires ‘python-inspector’ in version >=0.9.2. Could not determine the version.
        - Sbt: Requires ‘sbt’ in no specific version. Tool not found.
        - Stack: Requires ‘stack’ in version >=2.1.1. Tool not found.
        - Swift: Requires ‘swift’ in no specific version. Tool not found.
        + Yarn: Requires ‘yarn’ in version >=1.3.0 and <1.23.0. Could not determine the version.
Other tools:
        + Conan: Requires ‘conan’ in version >=1.44.0 and <3.0.0. Could not determine the version.
        - Pub: Requires ‘dart’ in version >=2.10.0. Tool not found.
VersionControlSystems:
        * Git: Requires ‘git’ in version >=2.29.0. Found version 2.34.1.
        - GitRepo: Requires ‘repo’ in no specific version. Tool not found.
        + Mercurial: Requires ‘hg’ in no specific version. Could not determine the version.
Prefix legend:
        - The tool was not found in the PATH environment.
        + The tool was found in the PATH environment, but not in the required version.
        * The tool was found in the PATH environment in the required version.
ScanCode license texts found in ‘/opt/scancode-license-data’.
Not all tools requirements were satisfied:
        ! For some tools the version could not be determined.
        ! Some tools were not found at all.

And specify (relevant parts of) your ORT configuration (config.yml):

ort:
  analyzer:
    allow_dynamic_versions: true
    enabled_package_managers: [ NPM ]
    packageManagers:
      Npm:
        options:
          legacyPeerDeps: true

Additional context

I don't know if this is relevant but we run ORT on a compound repository where several projects are cloned as git submodules.

Content of one of the affected package.json files:

{
  "name": "@my-product/sub-component",
  "version": "0.0.0",
  "type": "module",
  "peerDependencies": {
    "@angular/common": "16.1.6",
    "@angular/core": "16.1.6"
  },
  "dependencies": {
    "tslib": "^2.0.0"
  }
}

daniel-kr avatar May 28 '25 12:05 daniel-kr

The project is setup in a monorepo that consists of a root package.json and additional package.json files of sub-components.

Monorepo layouts with workspaces in conjunction with NPM are currently not supported, see https://github.com/oss-review-toolkit/ort/issues/9699. However, I wonder why you get another error message than mentioned there.

sschuberth avatar May 28 '25 13:05 sschuberth

I forgot to mention that it used to work with ORT version 34.0. From what I see, this also applies to https://github.com/oss-review-toolkit/ort/issues/9699.

daniel-kr avatar May 28 '25 13:05 daniel-kr

I don't even understand the error message. The path to which package.json is null and why is it null? 🤔

daniel-kr avatar May 28 '25 14:05 daniel-kr

I can confirm this issue. I have the same issue with a project, build by gradle and npm. The message in the analyzer-result.yml is:

      'NPM::frontend/package.json:':
      - timestamp: "2025-06-12T12:18:34.460951158Z"
        source: "NPM"
        message: "NPM failed to resolve dependencies for path 'frontend/package.json':\
          \ IllegalStateException: The path to 'package.json' is null in ModuleInfo(name=null,\
          \ version=null, path=null, id=null, dependencyConstraints={}, dependencies={},\
          \ optional=false, dev=false, resolved=null)."
        severity: "ERROR"

rabe42 avatar Jun 12 '25 13:06 rabe42